In previous posts, I discussed a few browser extensions for Firefox and Chrome that turn the browser into a penetration testing tool. But what if you could get a browser with all those security extensions built in? Yes, it is true. OWASP Mantra is a web browser that comes with all security add-ons preinstalled and configured. You only need to download this web browser and then start testing web applications. This browser is available for free. And you can install more extensions if you want. With this post, I am going to start a series of articles covering every aspect of Mantra. I will discuss what Mantra is and how to use it for penetration testing. This post is a simple introduction of Mantra browser and its interface.
OWASP Mantra Browser
Mantra is a nice web browser developed by OWASP (Open Web Application Security Project). I am sure you have already heard the name of the company. Mantra is a free web browser that comes with powerful set of security tools. It also comes with FireCAT integration, which makes it even more powerful browser for security researchers. I think we should not call it just a browser. OWASP Mantra is a web application security testing framework that is built on top of a web browser.
If you use BackTrack or Matriux, you have already seen it, because they come pre-installed. Mantra has a nice GUI. It also comes in a portable version that you can carry with you in memory cards or flash drives.
Mantra was started by Abhi M. Balakrishnan and Gokul C. Gopinath back in October 2010. The first public release was launched on 5 December 2010, but it was only for Windows browsers. Later it was improved and made available for other browsers too. Initially, it was based on Firefox. In September 2011, Mantra came with Chromium as MOC aka “Mantra on Chromium.” Later it was also added in security distributions, including BackTrak and Matriux.
Features of Mantra
These are many features of the Mantra browser. A few notable features are:
- FireCAT/ KromCAT menu structure
- Many security and proxy tools
- Quick access to tools and features
- Proxy, cookies and cache management tools
- FTP, SSH, REST and SQLite clients
- Open pentest bookmarks collection to access various security resources and portal
- URL increment/ decrement buttons for quickly changing URL
- Portable version is also available
- And many more
Tools of Mantra
As I mentioned above, Mantra comes with most of the available security extensions. All security extensions are divided into a few categories based on their functions and features. These are the tools categories:
- Information gathering
- Network utilities
- Application auditing
Every category contains many tools. We will discuss all tools in detail in later posts.
Download OWASP Mantra
OWASP Mantra is available for free.
You can download Mantra for Windows, Linux, and Macintosh. Download here: http://www.getmantra.com/owasp-mantra.html
You can also download light versions here, built on either Firefox or Chromium:
Getting Started with Mantra
After installation, run the browser. You will find that the default page is similar to the Windows 8 start screen. Actually, it is the default welcome page. As, I have downloaded the Chromium version, for me it will work as Chrome.
Figure 1: Mantra Start Screen
Now we will see what different features this browser brings with it.
If you are a Chrome user, you will see that it has a few extensions already installed. I found two new icons in omnibar. The first icon belongs to Extensioner and the other was Quick Notes.
Clicking on the Extensioner icon will show you some security-related tools categories and a setup link at the bottom. The default background color of all the categories is red.
Figure 2: Extensioner Pop Up Window
Clicking on any of the categories will enable the extensions belonging to that category. When I clicked on Information Gathering, it automatically enabled all the browser extensions related to Information Gathering and changed the background color of this category to green.
Figure 3: Check All enabled Extensions
Due to lack of space, it displays only two extensions icon in the omnibar and minimizes the others, so do not forget to click on the mode arrow icon to check all extensions. See the above screenshot.
The categories shown above are just the group of extensions with similar kind of functions or same functional area.
By default, I can see only six groups. Mantra browser also let us create our own group of extensions or rename the existing groups. We can also decide what extensions should be in which group and we can change the existing groups and move extensions from one group to other. However, the default categories are nice and descriptive. You can easily understand what extensions will do just by the name of group.
To change or create a group, just click on the setup link below the extension popup menu.
Figure 4: Extensioner Setup
Just after clicking on that link, you will land on a new tab “Extensioner,” with the list of available extensions and groups. This is the main setup page which lets us change group options and the placement of extensions. This page has two columns. At the right side, it lists the available groups of extensions. Newly added groups will be added at the bottom of this section. All the operations on the group will be performed at this side. On the left side, it lists all the extensions installed in the browser. If you install more extensions, they will be automatically listed in this section.
Figure 5: Extensioner Setup Window
At the top of the page, you see a check box saying “Autosave.” By default, the box is checked. This means that all changes you will make will be saved automatically. If you do not want it to automatically save the changes, you can uncheck the box. When you do that, a Save Changes button will automatically appear.
Create New Group
For creating new group, there is a small form at the right top side of the page. Here you can enter the name of your new group and then click on the “Create New Group” button.
Figure 6: Create New Group Extensioner
After clicking on the button, a new group will be added at the bottom of existing groups. To add extensions to this new group, you only need to drag extensions from the left side list and then drop on the group. You can also add extensions to the default extensions groups that came with the browser. For testing purpose, we are adding AntiXSS and Chrome Crawler extensions to our newly created group. You can add as many extensions as you want in the group. An extension can also be in multiple groups.
Figure 7: Custom Group Extensioner
If you want to remove an extension from the group, just move your mouse over the group and then over to the extension name. You will see an “X” icon on the right side. Click on it to remove an extension from the group. It does not ask for delete confirmation.
In case you want to rename or delete a group, move your mouse over the name of group. You will see links to rename or delete the group.
Figure 8: Rename or Delete a Group
Clicking on “rename” will let you change the name of the group and clicking on “X” will delete the group. You can also rename or delete default groups.
When you are done adding extensions to your new group, click on the Extensioner icon again to see your new group in the list. If you have not selected autosave, you need to save your changes before seeing your new group live in the Extensioner popup.
When you click on the Extensioner icon after saving your changes, you will see your newly created group in the list but with a different background, so it is easy to identify user-created extensions group.
Figure 9: Checking Added Group in Browser
Clicking on this newly created group will enable all the extensions you have added to the group. Later it changes the color to the original. I am confused about what this color means. A similar background also appeared in the other, too.
In this way, we can enable or disable multiple extensions simultaneously just by creating the groups. Each group contains many extensions. We will test and review all the extensions belonging to these groups in later posts in detail.
The other default icon was for the Quick Notes extension. Quick Notes lets you send emails directly from your browser via your default email client. In my system, it was Gmail. So, when I tried to send an email, it landed in Gmail’s compose window. This helps when you quickly want to send something you found interesting to a friend.
Figure 10: Quick Notes
Checking All Installed Extensions
Open the extensions section to see the pre-installed browser extensions. For this, click on settings icon at the top right corner and then select options.
Figure 11: Opening Menu in Mantra
On the options page, select the “Extensions” tab at the left side bar.
Figure 12: Options Window in Mantra
Now, you will see all the extensions that come with Mantra Chromium.
Many security extensions for Chrome are already there in the browser. If you are regular reader of the resources section, you already know a few of those, because I have posted a few Google Chrome security-related extensions and Firefox security add-ons last month.
Figure 14: Extensions window Mantra
These are the extensions used in the browser. When you enable any category from the Extensioner option, it enables a few extensions from the list. In case you want to use a few specific only, you can enable them from the extension list here. See all installed extensions in the list. If you want to know more about the tool, you can click in web store link.
Basic Security Scanning of a Web Page
Open any web page on the browser and right click on anywhere on the page. You will see an option “Analyze page for security issue.” Click on the option to scan the page and find possible security issues.
Figure 15: Analyzing Google Home Page for Security Issues in Mantra
When you use this option, it opens a new tab with a small security scan report of the page. This scan is powered by Recx Security Analyser Google Chrome extension. See the sample report below:
Figure 16: Scan Report of Google Home page Generated by Recx Security Analyser
Recx Security Analyser is a nice Google Chrome extension that lets security researchers find general security issues on a web page. This is a must-have extension for developers and quality assurance testing professionals. Sometimes, this extension reveals potential security risks. You can see that it also helps in detecting whether the website has protection for click-jacking or not by checking x-frame headers. It also gives explanations of various things so that you can easily understand the issue.
This was a simple scanning just for information-gathering purposes. For full vulnerability scanning, there are many popular extensions in the Mantra browser. We will discuss all the tools in detail one by one, starting with groups.
In this part, we have seen the basic features of Mantra. We have also discussed the categories of tools and seen the list of extensions. Really, Mantra is a powerful web browser and a must-have tool for security researchers. We have seen how to create new groups in Extensioner and how to move extensions among different categories of tools. We have yet to cover the security tools that come with the browser. We will discuss all categories of tools in later posts.
Do not forget to leave a comment if you have any question about this article. You can also share if you have anything to say.